Black Hat: External Content Threatens Web Security - InformationWeek
Cloud // Cloud Storage
02:33 PM
Connect Directly

Black Hat: External Content Threatens Web Security

Companies that rely on third-party Web content place themselves at the mercy of their partners' security practices.

At the Black Hat USA 2010 conference in Las Vegas on Tuesday, Dasient, an anti-malware company, warned that enterprises are putting their Web sites at risk by relying on third-party content.

In a report titled "Structural Vulnerabilities on Websites: Why Enterprise Websites Are Vulnerable to Malware Attacks," Dasient claims that the subversion of external content, such as JavaScript widgets, ads, and third-party applications, has become a popular mechanism for compromising legitimate Web sites.

"Enterprise Web sites typically have relatively tight control over their own software development lifecycle (SDLC) and security practices," the report says. "However, they very often rely on third-party partners to provide content, advertisements, or software applications that power the enterprise’s Web sites."

These partners often lack enterprise-level controls, Dasient's report observes, which makes their systems and software are more susceptible to attack and infection.

Unfortunately, such third-party content is common. Some 75% of Web sites use third-party JavaScript widgets, Dasient claims, going up to as much as 99% in certain verticals like travel/entertainment/leisure. About 42% of Web sites employ third-party ads, or ad-related JavaScript. And as many as 91% of companies currently rely on outdated applications for their Web sites.

Such content presents higher risk than is necessary.

The problem, Dasient argues, is that these vulnerabilities are often structural, and are thus not easily remedied. A news Web site, for example, can't simply decide to forego advertising because some ads carry malware.

Certainly, Web page infections are a problem. A new Web page gets infected every 1.3 seconds, according to Dasient, which says that the number of malware-infected Web pages has grown by a factor of 12 in four years.

Related research from Websense last year indicates that 77% of Web sites with malicious code are legitimate sites that have been compromised.

Dasient's answer is its Malware Monitoring system. But more than products or services, companies need to demand security from their partners, if they want to protect their reputation and their brand.

Black Hat and InformationWeek are both properties of TechWeb.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll